[cifs-protocol] 115070812924583 No mention of deviation from MS-KILE regarding non-gssapi or absent checksums in AP-REQ
Sreekanth Nadendla
srenaden at microsoft.com
Tue Aug 4 18:39:07 UTC 2015
Hello Andrew,
Although I don't have the exact repro that you used, I've debugged it further and found that if the checksum type is NOT 0x8003, windows ignores such checksum value.
Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, July 30, 2015 8:49 PM
To: Sreekanth Nadendla
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
Subject: Re: 115070812924583 No mention of deviation from MS-KILE regarding non-gssapi or absent checksums in AP-REQ
On Thu, 2015-07-30 at 21:59 +0000, Sreekanth Nadendla wrote:
> Hello Andrew,
> Per section 4.1.1 rfc4121, the Authenticator
> checksum type must be 0x8003 which is GSSAPI checksum. So when you say
> "is a non-GSSAPI checksum ever checked ?" what do you mean by that ?
>
> Are you asking if the checksum is present in AP REQ Authenticator,
> whether windows verifies if it's type is GSSAPI checksum type
> (0x8003) ? If so the answer is yes, it does.
If the checksum present, but is not 0x8003, what happens?
Our tests show that a value other than 0x8003 is accepted. Samba currently implements that by validating it using the krb5 checksum routine appropriate to the value, what does windows do?
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list